Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, I would like to update suckless-tools in jessie in order to fix a bug in the slock command (CVE-2016-6866). I have contacted the Security Team about this, and they decided this is not severe enough to warrant a DSA. Attached is a full debdiff. Thanks, Ilias [CVE-2016-6866] https://security-tracker.debian.org/tracker/CVE-2016-6866 -- Ilias
diff -Nru suckless-tools-40/debian/changelog suckless-tools-40/debian/changelog --- suckless-tools-40/debian/changelog 2016-02-26 13:07:26.000000000 +0200 +++ suckless-tools-40/debian/changelog 2016-09-12 17:25:07.000000000 +0300 @@ -1,3 +1,15 @@ +suckless-tools (40-1+deb8u2) stable-proposed-updates; urgency=medium + + * CVE-2016-6866: Fix SEGV in slock when users account has been disabled. + The screen locking application slock called crypt(3) and used the return + value for strcmp(3) without checking to see if the return value of crypt(3) + was a NULL pointer. + If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would + return NULL and set errno to EINVAL. This would cause slock to segfault + which then leaves the machine unprotected. + + -- Ilias Tsitsimpis <i.tsitsim...@gmail.com> Mon, 12 Sep 2016 16:17:14 +0300 + suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium * Set myself as the maintainer. diff -Nru suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch --- suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch 1970-01-01 02:00:00.000000000 +0200 +++ suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch 2016-09-12 16:09:57.000000000 +0300 @@ -0,0 +1,48 @@ +Description: Fix CVE-2016-6866 + Fix SEGV in slock when users account has been disabled. + . + The screen locking application slock called crypt(3) and used the return + value for strcmp(3) without checking to see if the return value of crypt(3) + was a NULL pointer. + . + If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would + return NULL and set errno to EINVAL. This would cause slock to segfault + which then leaves the machine unprotected. +Author: Markus Teich <markus.te...@stusta.mhn.de> +Origin: upstream, http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8 + +Index: b/slock/slock.c +=================================================================== +--- a/slock/slock.c ++++ b/slock/slock.c +@@ -85,7 +85,7 @@ readpw(Display *dpy) + readpw(Display *dpy, const char *pws) + #endif + { +- char buf[32], passwd[256]; ++ char buf[32], passwd[256], *encrypted; + int num, screen; + unsigned int len, llen; + KeySym ksym; +@@ -118,7 +118,11 @@ readpw(Display *dpy, const char *pws) + #ifdef HAVE_BSD_AUTH + running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd); + #else +- running = strcmp(crypt(passwd, pws), pws); ++ errno = 0; ++ if (!(encrypted = crypt(passwd, pws))) ++ fprintf(stderr, "slock: crypt: %s\n", strerror(errno)); ++ else ++ running = !!strcmp(encrypted, pws); + #endif + if(running != False) + XBell(dpy, 100); +@@ -262,6 +266,8 @@ main(int argc, char **argv) { + + #ifndef HAVE_BSD_AUTH + pws = getpw(); ++ if (strlen(pws) < 2) ++ die("slock: failed to get user password hash.\n"); + #endif + + if(!(dpy = XOpenDisplay(0))) diff -Nru suckless-tools-40/debian/patches/series suckless-tools-40/debian/patches/series --- suckless-tools-40/debian/patches/series 2016-02-26 13:08:45.000000000 +0200 +++ suckless-tools-40/debian/patches/series 2016-09-12 16:01:21.000000000 +0300 @@ -4,3 +4,4 @@ 2003_transparent-makefiles.patch 2004_use_system_searchpaths.patch 0001_resize_lockscreen.patch +0002_fix-cve-2016-6866.patch
